From 8931bddd42767eb323f4d31c728c3c3412e7fc1d Mon Sep 17 00:00:00 2001 From: Guillermo Herrero Date: Mon, 5 Mar 2018 20:54:22 +0100 Subject: [PATCH] [docs] Openstack endpoints description - Describe SSL certificate usage for public endpoints - Fixed all code-blocks formatting on the file JIRA:FUEL-328 Change-Id: Ifecab459ee0d633b4d8a254dcb01c92f76b66d4f Signed-off-by: Guillermo Herrero --- docs/release/userguide/userguide.rst | 214 ++++++++++++++++++++--------------- 1 file changed, 124 insertions(+), 90 deletions(-) diff --git a/docs/release/userguide/userguide.rst b/docs/release/userguide/userguide.rst index 6ea923267..4bdcc5557 100644 --- a/docs/release/userguide/userguide.rst +++ b/docs/release/userguide/userguide.rst @@ -60,9 +60,9 @@ Accessing the Cloud Access to any component of the deployed cloud is done from Jumpserver to user *ubuntu* with ssh key */var/lib/opnfv/mcp.rsa*. The example below is a connection to Salt master. - .. code-block:: bash + .. code-block:: bash - $ ssh -o StrictHostKeyChecking=no -i /var/lib/opnfv/mcp.rsa -l ubuntu 10.20.0.2 + $ ssh -o StrictHostKeyChecking=no -i /var/lib/opnfv/mcp.rsa -l ubuntu 10.20.0.2 **Note**: The Salt master IP is not hard set, it is configurable via INSTALLER_IP during deployment @@ -75,10 +75,10 @@ to infrastructure VMs (Salt master and MaaS). The example below is a connection to a controller VM. The connection is made from the baremetal server kvm01. - .. code-block:: bash + .. code-block:: bash - $ ssh -o StrictHostKeyChecking=no -i /var/lib/opnfv/mcp.rsa -l ubuntu x.y.z.141 - ubuntu@kvm01:~$ virsh console ctl01 + $ ssh -o StrictHostKeyChecking=no -i /var/lib/opnfv/mcp.rsa -l ubuntu x.y.z.141 + ubuntu@kvm01:~$ virsh console ctl01 User *ubuntu* has sudo rights. User *opnfv* has sudo rights only on aarch64 deploys. @@ -104,26 +104,26 @@ with *root* user. #. View the IPs of all the components - .. code-block:: bash + .. code-block:: bash - root@cfg01:~$ salt "*" network.ip_addrs - cfg01.baremetal-mcp-ocata-odl-ha.local: + root@cfg01:~$ salt "*" network.ip_addrs + cfg01.baremetal-mcp-ocata-odl-ha.local: - 10.20.0.2 - 172.16.10.100 - mas01.baremetal-mcp-ocata-odl-ha.local: + mas01.baremetal-mcp-ocata-odl-ha.local: - 10.20.0.3 - 172.16.10.3 - 192.168.11.3 - ......................... + ......................... #. View the interfaces of all the components and put the output in a file with yaml format - .. code-block:: bash + .. code-block:: bash - root@cfg01:~$ salt "*" network.interfaces --out yaml --output-file interfaces.yaml - root@cfg01:~# cat interfaces.yaml - cfg01.baremetal-mcp-ocata-odl-ha.local: + root@cfg01:~$ salt "*" network.interfaces --out yaml --output-file interfaces.yaml + root@cfg01:~# cat interfaces.yaml + cfg01.baremetal-mcp-ocata-odl-ha.local: enp1s0: hwaddr: 52:54:00:72:77:12 inet: @@ -136,77 +136,77 @@ with *root* user. prefixlen: '64' scope: link up: true - ......................... + ......................... #. View installed packages in MaaS node - .. code-block:: bash + .. code-block:: bash - root@cfg01:~# salt "mas*" pkg.list_pkgs - mas01.baremetal-mcp-ocata-odl-ha.local: - ---------- - accountsservice: - 0.6.40-2ubuntu11.3 - acl: - 2.2.52-3 - acpid: - 1:2.0.26-1ubuntu2 - adduser: - 3.113+nmu3ubuntu4 - anerd: - 1 - ......................... + root@cfg01:~# salt "mas*" pkg.list_pkgs + mas01.baremetal-mcp-ocata-odl-ha.local: + ---------- + accountsservice: + 0.6.40-2ubuntu11.3 + acl: + 2.2.52-3 + acpid: + 1:2.0.26-1ubuntu2 + adduser: + 3.113+nmu3ubuntu4 + anerd: + 1 + ......................... #. Execute any linux command on all nodes (list the content of */var/log* in this example) - .. code-block:: bash + .. code-block:: bash - root@cfg01:~# salt "*" cmd.run 'ls /var/log' - cfg01.baremetal-mcp-ocata-odl-ha.local: - alternatives.log - apt - auth.log - boot.log - btmp - cloud-init-output.log - cloud-init.log - ......................... + root@cfg01:~# salt "*" cmd.run 'ls /var/log' + cfg01.baremetal-mcp-ocata-odl-ha.local: + alternatives.log + apt + auth.log + boot.log + btmp + cloud-init-output.log + cloud-init.log + ......................... #. Execute any linux command on nodes using compound queries filter - .. code-block:: bash + .. code-block:: bash - root@cfg01:~# salt -C '* and cfg01*' cmd.run 'ls /var/log' - cfg01.baremetal-mcp-ocata-odl-ha.local: - alternatives.log - apt - auth.log - boot.log - btmp - cloud-init-output.log - cloud-init.log - ......................... + root@cfg01:~# salt -C '* and cfg01*' cmd.run 'ls /var/log' + cfg01.baremetal-mcp-ocata-odl-ha.local: + alternatives.log + apt + auth.log + boot.log + btmp + cloud-init-output.log + cloud-init.log + ......................... #. Execute any linux command on nodes using role filter - .. code-block:: bash + .. code-block:: bash - root@cfg01:~# salt -I 'nova:compute' cmd.run 'ls /var/log' - cmp001.baremetal-mcp-ocata-odl-ha.local: - alternatives.log - apache2 - apt - auth.log - btmp - ceilometer - cinder - cloud-init-output.log - cloud-init.log - ......................... + root@cfg01:~# salt -I 'nova:compute' cmd.run 'ls /var/log' + cmp001.baremetal-mcp-ocata-odl-ha.local: + alternatives.log + apache2 + apt + auth.log + btmp + ceilometer + cinder + cloud-init-output.log + cloud-init.log + ......................... @@ -217,16 +217,16 @@ Accessing Openstack Once the deployment is complete, Openstack CLI is accessible from controller VMs (ctl01..03). Openstack credentials are at */root/keystonercv3*. - .. code-block:: bash + .. code-block:: bash - root@ctl01:~# source keystonercv3 - root@ctl01:~# openstack image list - +--------------------------------------+-----------------------------------------------+--------+ - | ID | Name | Status | - +======================================+===============================================+========+ - | 152930bf-5fd5-49c2-b3a1-cae14973f35f | CirrosImage | active | - | 7b99a779-78e4-45f3-9905-64ae453e3dcb | Ubuntu16.04 | active | - +--------------------------------------+-----------------------------------------------+--------+ + root@ctl01:~# source keystonercv3 + root@ctl01:~# openstack image list + +--------------------------------------+-----------------------------------------------+--------+ + | ID | Name | Status | + +======================================+===============================================+========+ + | 152930bf-5fd5-49c2-b3a1-cae14973f35f | CirrosImage | active | + | 7b99a779-78e4-45f3-9905-64ae453e3dcb | Ubuntu16.04 | active | + +--------------------------------------+-----------------------------------------------+--------+ The OpenStack Dashboard, Horizon is available at http://:8078, e.g. http://10.16.0.11:8078. @@ -254,6 +254,42 @@ For Virtual deploys, the most commonly used IPs are in the table below. +-----------+--------------+---------------+ +=================== +Openstack Endpoints +=================== + +For each Openstack service three endpoints are created: admin, internal and public. + + .. code-block:: bash + + ubuntu@ctl01:~$ openstack endpoint list --service keystone + +----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------+ + | ID | Region | Service Name | Service Type | Enabled | Interface | URL | + +----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------+ + | 008fec57922b4e9e8bf02c770039ae77 | RegionOne | keystone | identity | True | internal | http://172.16.10.26:5000/v3 | + | 1a1f3c3340484bda9ef7e193f50599e6 | RegionOne | keystone | identity | True | admin | http://172.16.10.26:35357/v3 | + | b0a47d42d0b6491b995d7e6230395de8 | RegionOne | keystone | identity | True | public | https://10.0.15.2:5000/v3 | + +----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------+ + +MCP sets up all Openstack services to talk to each other over unencrypted +connections on the internal management network. All admin/internal endpoints use +plain http, while the public endpoints are https connections terminated via nginx +at the VCP proxy VMs. + +To access the public endpoints an SSL certificate has to be provided. For +convenience, the installation script will copy the required certificate into +to the cfg01 node at /etc/ssl/certs/os_cacert. + +Copy the certificate from the cfg01 node to the client that will access the https +endpoints and place it under /etc/ssl/certs. The SSL connection will be established +automatically after. + + .. code-block:: bash + + $ ssh -o StrictHostKeyChecking=no -i /var/lib/opnfv/mcp.rsa -l ubuntu 10.20.0.2 \ + "cat /etc/ssl/certs/os_cacert" | sudo tee /etc/ssl/certs/os_cacert + + ============================= Reclass model viewer tutorial ============================= @@ -274,36 +310,36 @@ After the installation is done, a webbrowser on the host can be used to view the #. Create a new directory at any location - .. code-block:: bash + .. code-block:: bash - $ mkdir -p modeler + $ mkdir -p modeler #. Place fuel repo in the above directory - .. code-block:: bash + .. code-block:: bash - $ cd modeler - $ git clone https://gerrit.opnfv.org/gerrit/fuel && cd fuel + $ cd modeler + $ git clone https://gerrit.opnfv.org/gerrit/fuel && cd fuel #. Create a container and mount the above host directory - .. code-block:: bash + .. code-block:: bash - $ docker run --privileged -it -v /modeler:/host ubuntu bash + $ docker run --privileged -it -v /modeler:/host ubuntu bash #. Install all the required packages inside the container. - .. code-block:: bash + .. code-block:: bash - $ apt-get update - $ apt-get install -y npm nodejs - $ npm install -g reclass-doc - $ cd /host/fuel/mcp/reclass - $ ln -s /usr/bin/nodejs /usr/bin/node - $ reclass-doc --output /host /host/fuel/mcp/reclass + $ apt-get update + $ apt-get install -y npm nodejs + $ npm install -g reclass-doc + $ cd /host/fuel/mcp/reclass + $ ln -s /usr/bin/nodejs /usr/bin/node + $ reclass-doc --output /host /host/fuel/mcp/reclass #. View the results from the host by using a browser. The file to open should be now at modeler/index.html @@ -320,5 +356,3 @@ References 1) `Installation instructions `_ 2) `Saltstack Documentation `_ 3) `Saltstack Formulas `_ - - -- 2.16.6